Even as the CERT-In Advisory warns of a cyber attack through a massive phishing exercise, the fact is that our neighbour has penetrated the entire Indian IT environment and a “cyber nuclear attack” is a possibility. By Na Vijayashankar
AS the country grapples with border clashes with China, Indian IT users have been given a notice by the Computer Emergency Response Team (CERT-In) of a possible cyber war attack.
CERT-In is a quasi-judicial authority having enormous powers under the Information Technology Act, 2000. It is perhaps time for it to realise its powers as well as responsibilities and grow beyond issuing advisories to initiating specific actions to secure Cyber India.
The notification of June 21, 2020, for the first time named China for planning a cyber attack through a massive phishing exercise under the guise of Covid-related information. CERT-In even identified one of the e-mail addresses that may be used—[email protected]—for sending such phishing mails. It is expected that several government identities may be used to send phishing e-mails which may contain malicious virus attachments that can plant Trojans, key loggers or even launch a ransomware attack. The advisory suggests the usual precautionary measures that need to be taken.
It is well-known for quite some time that China has been building its cyber war capabilities not only against large countries such as Russia and the US but India too which is its traditional enemy. Though experts have warned the government for a long time, its advisers have ignored the warnings that China has been penetrating the Indian systems by various means and keeping in readiness for any attack.
Technically, Chinese companies such as Huawei as well as others have taken a firm grip over the Indian telecom network system. Today, almost all network routers in the country and all telecom operators in the country use telecom equipment supplied from China. These are known to come with backdoors that steal data.
In the past, Chinese credit card swiping machines have been found to be embedded with additional chips. It is referred to as the Manchurian Chip Attack in cyber crime circles and it sends copies of data to China. Scotland Yard reportedly discovered this in the UK and identified such rogue POS machines by weighing them.
Even in India, the telecom industry had raised a flag and at one point of time, a system for “Certifying Telecom Equipment” was suggested. Those were the days of Chinese friendship and India constituted a committee for such certification with some known experts. The purpose of the committee was defeated the very moment Huawei was to fund the project, indicating the complete absence of security by the expert committee. The committee is now defunct, though some of its members are still active in the design of a cyber security framework in India.
A few years back, there was even a suspicion that the Chinese could have planted bugs in CERT-In. The issue was not made public in view of the national interest. The Chinese had even planted their nationals in some organisations and one of the Indian companies handling a project for World Bank found that data was being diverted to China and attributed it to some malicious Chinese employees.
Many Indian companies in the IT sector have been funded by Chinese agencies and they have access to the systems and are fully aware of the technical architecture of the companies. It is no surprise that some of these companies are getting attacked today with ransomware.
China even has good control over crypto-currency holdings and has mined and reserved a large stock of Bitcoins which could be unleashed as a weapon in India if the government allows them to be legitimised. Chinese manufacturers of mobiles and laptops have long been suspected to have planted malicious codes to steal data and even take over control of the devices through a secret switch.
Indian software companies have transferred valuable technology to China by opening offices in that country and employing the Chinese workforce. These companies have sold the interests of India for a few dollars and it allegedly includes all big IT companies.
Thus, China has systematically penetrated the entire Indian IT environment and is suspected to have a much larger control on the Indian network than a “phishing attack”. At best, a phishing attack may only be a “diversion” and a major attack like a “cyber nuclear attack” is a possibility. Unfortunately, CERT-In has not been vocal about such threats. Its advisory that phishing will increase is welcome but falls woefully short of expectations of the security market.
What we need now is an advisory to telecom companies to identify their reliance on Chinese equipment and do a source code audit on all software and hardware supplies from China. We need to filter all IP addresses leading to China and authenticate the destination.
We must note that Russia has set up a completely isolated internet network and exercises a far greater control on information flow out of the country. We in India need to move in this direction and create a nationwide information gateway infrastructure so that any data moving out can be monitored so that one knows its final destination.
While this may entail a privacy threat, it is a national security requirement. Just as we cannot allow free movement of people across the borders from Pakistan or China, we need to be able to monitor data traffic from India to China and vice-versa. We may, therefore, consider that the CERT-In advisory is only the bare minimum and has to be supplemented with more security vision.
CERT-In also came up with an advisory—“Zoom is a Security Threat”. It ignored the fact that Zoom was a US company and not a Chinese one. It appears that the advisory was released to indirectly benefit some of the business competitors of Zoom. These include MNCs who have their own lobbying power with the decision-makers.
Given the expertise of China in espionage capabilities, the possibility of the Chinese penetrating the government machinery also cannot be ruled out. If part of our political leadership can be seen as openly supporting China, the possibility of some bureaucrats having a soft corner for the country cannot be ruled out. The government has to, therefore, start an operation to clean up its internal systems and people to identify the dependence of our systems on China. Any laptop or mobile with Chinese origin used by government employees, including secretaries, needs to be checked.
Despite the anti-China sentiments, it was recently reported that the sale of a new model of mobile from a Chinese manufacturer was sold out in a few hours, indicating that the penetration of Chinese IT equipment is continuing. Whenever such sales take place, apart from prior licence to sell, the government has to acquire a few random samples of the items being sold and subject them to a security scrutiny.
When we introduce such tough measures, there could be charges of violation of free trade principles. This should not be applicable in the current war-like situation.
Recently, CERT-In came up with an unwarranted advisory on Zoom. But it did not find it necessary to come up with an advisory on the following:
- “Chinese mobiles” using their own OS systems and pre-installed apps
- “Chinese made laptops” where the OS and pre-installed apps could have been tampered with
- POS machines used universally for card payments and biometrics which may steal critical data
- Internet routers and set-top boxes which can be used to control communication channels to ordinary citizens, including the possibility of a denial of service attack across the country.
This needs to be corrected. If China has access to computers and mobiles sold in India, they do not need a cyber attack through phishing which any script kiddie can do.
Now that CERT-In has come up with this public announcement on China, we must move this intelligence finding to its logical end. Such an activity falls under Section 66F of the Information Technology Act and can be considered as “Cyber Terrorism”. CERT-In indirectly declared China as a “rogue nation” indulging in cyber terrorism and cyber warfare. Hence, there is no reason why international trade agreements for free trade are to be considered as not applicable in the current situation.
It is time that the CERT-In goes beyond issuing advisories and initiates concrete action to assess and mitigate the China risk in Indian IT infrastructure.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru
Lead Visual: Amitava Sen